Upromise, a membership rewards service for those trying to save money for college, recently settled with the Federal Trade Commission over charges that it collected consumers’ personal information without adequate disclosures.

Consumers enrolled in the Upromise service received a rebate when they purchased goods or services from Upromise partners. The company’s Web site also offered a “TurboSaver Toolbar” download that highlights partners’ products in consumers’ search results with “Personalized Offers” in order “to provide college savings opportunities tailored to you.” But according to the FTC, the feature in fact tracked consumers’ Internet history and collected “extensive” personal information, such as user names, passwords, search terms, and even credit card and financial account numbers, security codes and expiration dates. Upromise then transmitted the information without encryption.

The agency estimated that at least 150,000 consumers used the Toolbar between 2005 and 2010. Upromise’s privacy statement claimed that, “We understand the need for our customers’ personal information to remain secure and private and have implemented policies and procedures designed to safeguard your information.”

The company also said it encrypted consumers’ sensitive information in transit and was “proud of the innovations we have made to protect your data and personal identity.”

Further, while the privacy policy acknowledged that it might “infrequently” collect personal information that would be filtered prior to transmission, the FTC said the filter was “too narrow and improperly structured.”

The company’s failure to disclose the extent of the information collected by its Toolbar product as well as its claims to protect data and encrypt it in transmission were deceptive and violated the FTC Act, the agency alleged in its complaint.

The settlement requires Upromise to make clear disclosures about its data collection practices and affirmatively obtain consumers’ consent before installing or enabling toolbar products that collect personal information. The company is also barred from making misrepresentations about its privacy and security practices, and must establish a security program that will be subject to independent security audits for a 20-year period.

Existing data collected through the Toolbar’s “Personalized Offers” feature must be destroyed, and consumers whose information was collected must be notified and informed about how to uninstall Toolbars already on their computers.

To read the complaint in In the Matter of Upromise, click here.

To read the consent order, click here.

Why it matters: The action “is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security,” the agency said in a press release. The FTC’s first privacy-related enforcement action in 2012 serves as a reminder that companies must ensure that their disclosures about the collection, retention and use of personal information are clear and conspicuous and that data security policies are accurate and up to date.